NKM ADVOCATESADVOCATES & CONSULTANTS
All Departments
FILE NO. DP-08

Data Protection

Secure data, secure future.

Legal Basis

Data Protection Act No. 24 of 2019 · Data Protection (General) Regulations, 2021 · Data Protection (Registration) Regulations, 2021 · Data Protection (Complaints Handling) Regulations, 2021 · Constitution of Kenya 2010, Article 31(c) and (d) · ODPC

Overview

Kenya’s Data Protection Act, 2019 (DPA) is the country’s first comprehensive privacy law, modelled on the EU’s GDPR and enacted to give effect to Article 31 of the Constitution. The ODPC is actively enforcing the Act — issuing penalty notices of up to KES 5 million, conducting compliance audits, and processing thousands of data subject complaints.

What We Do

  • ODPC Registration \u2014 The DPA prohibits any person from acting as a data controller or data processor without registration. Mandatory thresholds include businesses with annual turnover above KES 5 million, more than 10 employees, or processing data of 10,000+ data subjects per year.
  • Data Protection Compliance Audits \u2014 We conduct structured compliance assessments covering data inventory, lawful basis identification, privacy notices, data sharing arrangements, processor contracts, security measures, and breach notification procedures.
  • Privacy Notices & Consent Frameworks \u2014 Every organization that collects personal data must provide a clear, accessible privacy notice. Consent must be freely given, specific, informed, and unambiguous. We draft compliant privacy notices and consent forms.
  • Data Subject Rights Management \u2014 The DPA grants data subjects the rights to access, rectification, erasure, objection, and data portability. We design internal procedures for handling these requests.
  • Cross-Border Data Transfers \u2014 Transferring personal data outside Kenya requires adequate protections, explicit consent, contractual safeguards (SCCs), or Binding Corporate Rules. We advise on compliant transfer mechanisms.
  • Data Protection Impact Assessments \u2014 High-risk processing activities require a DPIA before they begin. We conduct DPIAs for new products, systems, or processes that involve significant data processing.
  • Data Protection Officer (DPO) Services \u2014 We provide outsourced DPO services for organisations that need this function without the cost of a full-time internal appointment.

Diaspora Advantage

Diaspora Advantage

  • Structure your Kenyan business’s data practices for compliance with both the Kenya DPA and the data protection law of your country of residence (GDPR for UK/EU, similar frameworks for US and Gulf states)
  • Advise on cross-border data transfer mechanisms when your Kenya-based operation shares data with foreign service providers, investors, or parent entities
  • Prepare and file ODPC registration for your Kenya-based entity while you manage operations remotely
  • Conduct a compliance audit of your Kenya business’s data handling practices and produce a remediation roadmap

Book a Consultation

Our Data Protection team is ready to advise. Book a free initial consultation \u2014 by phone, WhatsApp, or in person at our Ngong office.

WhatsApp 0707 329 013 \u00b7 contact@nkm-advocates.co.ke

Other departments

FILE NO. SME-01
Business & SME Advisory
View
FILE NO. RE-02
Real Estate
View
FILE NO. DR-03
Debt Recovery & Small Claims
View